System Settings

System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.

Monitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.

Collection Methods

MDM device telemetry
Mobile EDR monitoring
OS configuration monitoring

ID: DC0118

Domains: Mobile

Version: 2.1

Created: 13 March 2023

Last Modified: 08 April 2026

Log Sources

Name	Channel
android:MDMLog	device USB mode change (charging to file transfer / debugging / accessory)
android:MDMLog	Application or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context
android:MDMLog	No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation
iOS:MDMLog	Trusted computer / host relationship established or relevant device trust setting changed
iOS:MDMLog	No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability
MobileEDR:telemetry	Microphone sensor activation or audio recording session initiated by application process
MobileEDR:telemetry	Application transitions to background or executes while screen locked during microphone session
MobileEDR:telemetry	Cellular service state transitions (in-service→no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry
MobileEDR:telemetry	Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps
MobileEDR:telemetry	Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow
MobileEDR:telemetry	Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval
MobileEDR:telemetry	Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction
User Interface	None

Detection Strategy

ID	Name	Technique Detected
DET0697	Detection of Abuse Accessibility Features	T1453
DET0673	Detection of Audio Capture	T1429
DET0674	Detection of Calendar Entries	T1636.001
DET0602	Detection of Call Log	T1636.002
DET0619	Detection of Code Signing Policy Modification	T1632.001
DET0679	Detection of Contact List	T1636.003
DET0671	Detection of Data Destruction	T1662
DET0627	Detection of Endpoint Denial of Service	T1642
DET0637	Detection of Foreground Persistence	T1541
DET0608	Detection of Generate Traffic from Victim	T1643
DET0651	Detection of Indicator Removal on Host	T1630
DET0639	Detection of Network Denial of Service	T1464
DET0681	Detection of Protected User Data	T1636
DET0691	Detection of Replication Through Removable Media	T1458
DET0658	Detection of SIM Card Swap	T1451
DET0686	Detection of SMS Messages	T1636.004
DET0657	Detection of Subvert Trust Controls	T1632
DET0695	Detection of Video Capture	T1512